The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

CBR also thinks this is a good time for Google to get its privacy ducks in a row:

Our View

While the privacy groups' goals are noble, the arguments in their complaint as they relate to the acquisition itself are rather weak, and we can't help but think that DoubleClick deal is just being seized as an opportunity to pressure Google into adopting better privacy practices.

Google is already big enough, and its privacy practices sufficiently slanted away from the end user, that it could use privacy reform whether it gets to buy DoubleClick or not.

A commitment to "anonymize" search data after two years storage is as good as no commitment at all. The company will still know which IP address and cookie has searched for what terms for the last two years.

What is needed from Google is a method by which users can opt out of having their queries logged, period. DoubleClick has had an opt-out feature for years. Google could simply lay an opt-out cookie on users' machines, and refuse to log any queries associated with that cookie.

This would very likely make the privacy criticisms go away.

The Financial Times has some further info on how Google is proposing to respond to this:

Google is developing technology to try to appease critics who complain that its proposed acquisition of DoubleClick will lead to an erosion of online privacy, according to Eric Schmidt, its chief executive.

Speaking in an interview, he also promised changes in the internet company’s policies, saying Google would do whatever was necessary to quell a rising tide of complaints about lack of privacy that began with news of its planned $3.1bn acquisition 10 days ago.

“At the end of the day, people will be happy,” said Mr Schmidt. “That’s because they have to be,” or Google would lose both users and advertisers and its business would be at risk, he said.

Fears have been stoked by the potential for Google to build up a detailed picture of someone’s behaviour by combining its records of web searches with the information from DoubleClick’s “cookies”, the software it places on users’ machines to track which sites they visit.

As the company that “serves”, or delivers, the majority of banner ads seen by web users, DoubleClick’s reach within its market is on a par with that of Google in the search business.

Mr Schmidt said Google was working on a way of handling “cookies” that would reduce concerns about the practice. The technology has long been controversial, because many internet users do not realise their surfing habits are tracked. Google has bowed to those concerns by not using cookies, though it has said it would change its policy after the DoubleClick acquisition.

“We have technology in that area that can make it much better,” Mr Schmidt said, though he refused to give details of the technique ahead of the company’s discussions with regulators.

Besides privacy groups, the DoubleClick deal has also stirred unease among advertisers and other online media companies over the competitive advantage Google would gain from the vast amount of information it would have about their businesses.

Mr Schmidt last week said that Google would consider arrangements to deal with those fears, such as keeping apart data about advertisers and media owners contained in Google and DoubleClick’s systems.

While stoking fears about loss of privacy, greater use of personal data collected online could have benefits, from enhancing the personalisation of services to helping fight terrorism, the Google chief executive said.

“These are the conflicts of our age,” he added. “We’re trying to find the right balance.”

Saturday, April 28, 2007

Earlier this month, a medical clerk was fined $10,000 for unlawfully accessing the personal health information of her lover's wife. To my knowledge, this is the first charge and conviction of its kind in Canada. The charges were laid under Alberta's Health Information Act. Most other provinces would have no penalty for such conduct.

CALGARY (CP) - A medical office clerk has been fined $10,000 for illegally obtaining health records of her lover's wife.

Stephanie MacDonald, who was charged under the Alberta Health Information Act, gained access to test results, biopsy findings and X-rays belonging to Marlene Stallard 17 times between August 2005 and May 2006.

Stallard, who is fighting ovarian cancer, told court in her victim impact statement the records were used in an attempt to convince her husband she was gravely ill.

It was part of MacDonald's strategy to make her adulterous relationship with James Stallard more permanent, she alleged.

''A violation of your privacy to that degree, when you're going through cancer, is a pretty terrible thing,'' Marlene Stallard said Friday, after the sentencing.

MacDonald, who could access information through her capacity as a clerk at the Dr. McPhalen Professional Corporation, maintained she was working under her lover's direction when she accessed the records. MacDonald and James Stallard are no longer lovers.

But James Stallard testified he only asked MacDonald to get information about his wife's condition twice, and denied he'd asked for information the other 15 times.

MacDonald also said she wasn't aware what she was doing was illegal, noting she'd never been briefed on such practices and her office didn't have a privacy policy.

Provincial court Judge Manfred Delong said he didn't believe a 12-year medical clerk didn't know what she was doing was wrong.

IT Business is running an article entitled SWIFT scandal exposes PIPEDA holes, in which the Privacy Commissioner of Canada and Phillipa Lawson of the Canadian Internet Policy and Public Interest Clinic lament that PIPEDA allows the disclosure of personal information without consent in response to a foreign subpoena.

Is this a loophole or something that should be remedied? Certainly the European Union thinks that disclosing European info in this way is not OK.

I'm not sure there is really anything that can be done about this, other than to keep data out of jurisdictions with laws that you consider offensive. Certainly, we have seen that the EU and some Canadian provinces think that the USA Patriot Act is overbroad and a threat to privacy. Unlike some public sector laws in Canada, PIPEDA is completely silent with respect to the export of personal information. But if data is in a jurisdiction with a lawful power to compel the production of that information, the practical impact of a foreign law is virtually nil. Particularly if the foreign law is as toothless as PIPEDA.

Practically speaking, the solution is really to keep those data warehouses out of those jurisdictions. While SWIFT is a European outfit, they had a data centre in the US that was within the lawful jurisdiction of the US authorities armed with subpoenas. As an international clearing system, it would obviously have to transmit some data back and forth between HQ and the US. But there doesn't seem to be any compelling argument to suggest that all that data should have been kept there.

Canada, with it's European-accepted privacy laws, would have been an ideal place to locate the SWIFT data centre. Miliseconds from New York and Brussels, but a world away from the US as far as privacy laws go. Any international company doing business with personal information in the United States really should think about this. What SWIFT did may have been completely lawful in the US, but it certainly has caused more than its fair share of headaches and has opened it up to potential liability in the EU.

Tuesday, April 24, 2007

According to BoingBoing, personal lubricant maker Astroglide has gotten itself into a slippery situation by allowing information on thousands of its customers to be accessible on the web. Information included names, addresses and lubricant purchases. Some of the information is still available through Google cache pages, showing how sticky the web can be. See: Boing Boing: Sex lube co's data breach exposes 250K+ personal records.

Friday, April 20, 2007

I don't envy Google these days. (Other than for the fact that they net a billion dollars in the first quarter of '07.) Many of their incredibly popular services depend upon knowing their users and in many cases being knowing them on a one-on-one basis. Because their slice of the web is growing, there are concerns out there that the aggregated databases of user information may be misused.

One of the newest services will probably be the most controversial: Google Web History tracks all your surfing and all your searches. You can easily go back to that website you visited two weeks ago but forgot the address, and you can analyze the trends in your browsing. That's a convenience. At the same time, every website you've visited and each search you've done will be very strongly linked to you and will be hosted in the United States. This means that it will be available to be handed over to law enforcement under the USA Patriot Act and other statutes. It may also be available to your spouse's divorce lawyer armed with a subpoena. Or is just there to be hacked into.

This may be very convenient and appealing for a lot of users, but people need to think carefully about the risks of having someone else host this highly personal data ....

I'll probably visit more than 100 web pages today, and so will hundreds of millions of people. Printed and bound together, the web pages you'll visit in just one day are probably bigger than the book sitting on your night table. Over the next month alone, that's an entire bookcase full! The idea of having access to this virtual library of information has always fascinated me. Imagine being able to search over the full text of pages you've visited online and finding that one particular quote you remember reading somewhere months ago. Imagine always knowing exactly where you saw something online, like that priceless YouTube video of your friend attempting to perform dance moves from a bygone age. Better yet, imagine having this wealth of information work for you to make searching for new information easier and faster.

Today, we're pleased to announce the launch of Web History, a new feature for Google Account users that makes it easy to view and search across the pages you've visited. If you remember seeing something online, you'll be able to find it faster and from any computer with Web History. Web History lets you look back in time, revisit the sites you've browsed, and search over the full text of pages you've seen. It's your slice of the web, at your fingertips.

How does Web History work? All you need is a Google Account and the Google Toolbar with PageRank enabled. The Toolbar, as part of your browser, helps us associate the pages you visit with your Google Account. If you're currently a Search History user, you'll notice that we've renamed Search History to Web History to reflect this new functionality. To sign up for Web History, visit http://www.google.com/history.

Sunday, April 15, 2007

The Washtington Post is reporting that the US Department of Education's national database of student loan recipients is being trolled for illegitimate purposes by authorized users. This has apparently been a problem for over four years.

....The database, known as the National Student Loan Data System, was created in 1993 to help determine whether students are eligible for student aid and to assist in collecting loan payments. About 29,000 university financial aid administrators and 7,500 loan company employees have access to it.

In a recent meeting with university financial aid directors, Theresa S. Shaw, chief operating officer of the department's Office of Federal Student Aid, which manages the database, said lenders have been mining it for student data with increasing frequency, according to three participants at the meeting. In the department's hierarchy, Shaw ranks above Fontana.

"She said the data mining had gotten out of control, and they were trying to tone it down," said Eileen K. O'Leary, director of student aid and finance at Stonehill College in Massachusetts, who was at the Feb. 26 session. "They'd seen the mining for a few years, but now they felt it had grown exponentially."

The department first started noticing a problem in mid-2003 when loan consolidation became more popular, according to an agency official who spoke on condition of anonymity because of the sensitivity of the matter. As companies began to aggressively look for low-risk borrowers to target for consolidation plans, they turned to the database for prospective customers, the official said.

The article says thousands of users have had their privileges revoked after security reviews showed abuse.

Assuming that it really is necessary to allow private sector players to have access to this database in the first place, perhaps prosections under the Computer Fraud and Abuse Act would get users' attention.

Friday, April 13, 2007

As more and more online services that collect personal information amalgamate, it is important to ask questions about what happens when databases of personal information merge as part of the process. Google already has an advertising network which collects clickstream data, and holds terabytes of personal e-mail, photos, videos and documents. Its social networking site, Orkut, is slowly growing. Doubleclick, on the other hand, has been in the clickstream game longer and is itself no stranger to privacy controversey. (You may recall the fuss raised when it was suggested the DoubleClick may perform data matching with offline personal information.) What's going to happen to the databases?

FEMALE civil servants in India are furious with new government guidelines that force them to list intimate details, including their menstrual history, in appraisal forms, a newspaper reported today.

The All-India Services Performance Appraisal Rules 2007 – which apply to senior government workers – ask female employees to record their last menstrual period, as well as when they last took maternity leave, the Hindustan Times said.

"The questions are too intrusive and have no bearing on our work," Seema Vyas, a senior bureaucrat in Maharashtra state, was quoted as saying.

India's Ministry of Personnel, which drew up the new appraisal guidelines, says it has not received any complaints and the addition of such questions was based on advice from health officials.

"I assume this will help evaluate the officer's fitness," Satyanand Mishra, the ministry's most senior bureaucrat, told the newspaper.

But women officers said it was "insensitive" and "irrelevant", adding they planned to protest.

"Health problems or aberrations are generally mentioned to assess the officer's physical fitness," said Chandra Iyengar, a senior civil servant.

Tuesday, April 10, 2007

ATLANTA - A computer disk containing the names, birth dates and Social Security numbers of 2.9 million Medicaid and children's health care recipients is missing, Georgia health officials said Tuesday.

The state said the security breach was reported by Affiliated Computer Services, a private vendor with a contract to handle health care claims for the state.

The CD was lost while it was being shipped from Georgia to Maryland, ACS spokesman David Shapiro said. The company has been working with the carrier, which Shapiro would not identify, for several days to find the package, he said.

Shapiro said there was no indication anyone had tried to access any of the personal data.

"We are treating this as a missing package," he said.

Officials said the information, including addresses, covered the four-year period up to June 2006 and included some people who are no longer on the rolls.

The Georgia Department of Community Health said it was requiring the Dallas-based company to notify everyone affected and to offer free credit reports. The children's health care program involved in the data loss is called PeachCare.

PeachCare is the state's health insurance program for low-income children. Medicaid is a health insurance program for the poorest residents. Both programs are funded with a combination of state and federal dollars.

State officials notified the Centers for Medicare and Medicaid Services, the U.S. Department of Health and Human Services, the Governor's Office of Consumer Affairs and the state attorney general.

An interesting investigation report from the Information and Privacy Commissioner of Alberta, in which the investigator found that an employer did not violate PIPA by seeking information about whether a current employee had sought employment with another company:

The Office of the Information and Privacy Commissioner has found that EPCOR Utilities Inc.
(EPCOR) complied with the Personal Information Protection Act (PIPA) when it collected,
used and disclosed personal employee information without consent. EPCOR’s collection, use
and disclosure of the employee’s personal information was also found to be reasonable for
purposes of an investigation.

The complainant, an EPCOR employee at the time, took a leave of absence from EPCOR.
Shortly thereafter, EPCOR received unsolicited information suggesting the complainant was
about to begin work for another company. EPCOR contacted the other company to verify the
complainant’s alleged employment there. The complainant complained that EPCOR
collected, used and disclosed his personal information without consent.

The Investigator found that EPCOR had collected, used and disclosed the complainant’s
personal information to investigate a possible contravention of the complainant’s employment agreement. As such, consent was not required.

Further, the Investigator found that the information qualified as personal employee
information under PIPA: the information was reasonably required to manage the
complainant’s employment relationship with EPCOR, and consisted only of information
related to that employment relationship. The complainant was notified at the time of hire that
his personal information could be collected, used or disclosed for investigation purposes. As
such, EPCOR did not require consent to collect, use and disclose the complainant’s personal
employee information in these circumstances.

Sunday, April 08, 2007

These sound like eminently sensible regulations that could be adopted as best practices for any company that handles personal information. According to the Privacy and Security Law Blog, the US Federal Communications Commission has adopted regulations about the release of calling records by telecommunications companies. The rules provide that information can only be released to those who have a password associated with the account. If no password is provided, the information can only be either (i) mailed to the address of record or (ii) telephoned to the phone number of record. Also, the customer has to be alerted via these approved channels of the address or the password is changed. Makes sense to me.

An Australian court has awarded damages for breach of privacy following the revelation by the Australian Broadcasting Corporation of the identity of a rape victim. This is important to Australia, but may also have a secondary effect here in the great white north, as Canadian courts are relatively open in citing and following other common law decisions. For the full scoop, check out Open and Shut: Victorian Court awards damages for breach of privacy.

The British Royal Academy of Engineers has published a very interesting report on privacy and technology: Dilemmas of Privacy and Surveillance. It is important that those that design technology have an appreciation of the privacy impact of that technology and this report is an encouraging step in that direction.

1. Executive Summary

This study identifies likely developments in information technology in the near future, considers their impact on the
citizen, and makes recommendations on how to optimize their benefits to society. The report focuses on an area where
the developments in IT have had a particularly significant impact in our everyday lives - the use of IT in surveillance,
data-capture, and identity management. It looks at the threats that these technologies may pose and at the role
engineering can play in avoiding and managing these risks. The following is a summary of the central concepts and
issues that the report investigates and the judgments the report makes about them.

Technological development: Technologies for the collection, storage, transmission and processing of data are
developing rapidly. These technological developments promise many benefits: improved means of storing and
analysing medical records and health data could lead to improvements in medical care and in management of public
health; electronic logging of journey details can promise improved provision of public transport and more logical
pricing for road use; and more details of peoples' everyday behaviour offer the possibility for developing better public
policy generally.

However, the development of these technologies also has the potential to impact significantly on privacy. How they
develop is to a large extent under the control of society. They can be allowed to develop in a way that means personal
data are open to the view of others - either centralised spies or local peeping toms. Or, they can be allowed to develop
so that personal data are collected and stored in an organised, controlled and secure manner. There is a choice
between a 'Big Brother' world where individual privacy is almost extinct and a world where the data are kept by
individual organisations or services, and kept secret and secure. The development of technology should be monitored
and managed so that its potential effects are understood and controlled. The possibility of failures of technologies
needs to be explored thoroughly, so that failures can be prepared for and, where possible, prevented.
Designing for privacy: There is a challenge to engineers to design products and services which can be enjoyed whilst
their users' privacy is protected. Just as security features have been incorporated into car design, privacy protecting
features should be incorporated into the design of products and services that rely on divulging personal information.

For example: means of charging road users for the journeys they make can be devised in such a way that an individuals'
journeys are kept private; ID or 'rights' cards can be designed so that they can be used to verify essential information
without giving away superfluous personal information or creating a detailed audit trail of individuals' behaviour;
sensitive personal information stored electronically could potentially be protected from theft or misuse by using digital
rights management technology. Engineering ingenuity should be exploited to explore new ways of protecting privacy.

Privacy and the law: British and European citizens have a right to privacy that is protected in law. The adequate
exercise of that right depends on what is understood by 'privacy'. This notion needs clarification, in order to aid the
application of the law, and to protect adequately those whose privacy is under threat. In particular, it is essential that
privacy laws keep up with the technological developments which impact on the right to and the expectation of privacy,
especially the development of the Internet as a networking space and a repository of personal information. The laws
protecting privacy need to be clarified in order to be more effective. As well as making the letter of the law more
perspicuous, the spirit must be made more powerful - the penalties for breaches of the Data Protection Act (1998) are
close to trivial. The report backs calls for greater penalties for misuse of data - including custodial sentences.

Surveillance: The level of surveillance of public spaces has increased rapidly over recent years, and continues to grow. Moreover, the development of digital surveillance technology means that the nature of surveillance has changed
dramatically. Digital surveillance means that there is no barrier to storing all footage indefinitely and ever-improving
means of image-searching, in tandem with developments in face and gait-recognition technologies, allows footage to
be searched for individual people. This will one day make it possible to 'Google spacetime', to find the location of a
specified individual at some particular time and date.

Methods of surveillance need to be explored which can offer the benefits of surveillance whilst being publicly
acceptable. This will involve frank discussion of the effectiveness of surveillance. There should also be investigation of
the possibility of designing surveillance systems that are successful in reducing crimes whilst reducing collateral
intrusion into the lives of law-abiding citizens.

Technology and trust: Trust in the government is essential to democracy. Government use of surveillance and data
collection technology, as well as the greater collection and storage of personal data by government, have the potential
to decrease the level of democratic trust significantly. The extent of citizens' trust in the government to procure and
manage new technologies successfully can be damaged if such projects fail. Essential to generating trust is action by
government to consider as wide a range of failure scenarios as possible, so that failures can be prevented where
possible, and government can be prepared for them where not. There also need to be new processes and agencies to
implement improvements. If a government is seen as implementing technologies wisely, then it will be considered
more trustworthy.

Protecting data: Loss or theft of personal data, or significant mistakes in personal data, can have catastrophic effects on
an individual. They may find themselves refused credit, refused services, the subject of suspicion, or liable for debts that
they did not incur. There is a need for new thinking on how personal data is stored and processed. Trusted third parties
could act as data banks, holding data securely, ensuring it is correct and passing it on only when authorised. Citizens
could have their rights over the ownership, use and protection of their personal data clarified in a digital charter which
would specify just how electronic personal data can be used and how it should be protected.

Equality: Personal data are frequently used to construct profiles and the results used to make judgements about
individuals in terms of their creditworthiness, their value to a company and the level of customer service they should
receive. Although profiling will reveal significant differences between individuals, the results of profiling should not be
used for unjustifiable discrimination against individuals or groups. Profiling should also be executed with care, to avoid
individuals being mistakenly classified in a certain group and thus losing rights which are legitimately theirs.

Reciprocity: Reciprocity between subject and controller is essential to ensure that data collection and surveillance
technologies are used in a fair way. Reciprocity is the establishment of two-way communication and genuine dialogue,
and is key to making surveillance acceptable to citizens. An essential problem with the surveillance of public spaces is
that the individual citizen is in no position either to accept or reject surveillance. This heightens the sense that we may
be developing a 'Big Brother' society. This should be redressed by allowing citizens access to more information about
exactly when, where and why they are being watched, so that they can raise objections to surveillance if it is deemed
unnecessary or excessively intrusive.

Recommendations

R1 Systems that involve the collection, checking and processing of personal information should be designed in order to
diminish the risk of failure as far as reasonably practicable. Development of such systems should make the best use of
engineering expertise in assessing and managing vulnerabilities and risks. Public sector organisations should take the
lead in this area, as they collect and process a great deal of sensitive personal data, often on a non-voluntary basis.

R2 Many failures can be foreseen. It is essential to have procedures in place to deal with the consequences of failure in
systems used to collect, store or process personal information. These should include processes for aiding and
compensating individuals who are affected.

R3 Human rights law already requires that everyone should have their reasonable expectation of privacy respected and
protected. Clarification of what counts as a reasonable expectation of privacy is necessary in order to protect this right
and a public debate, including the legal, technical and political communities, should be encouraged in order to work
towards a consensus on the definition of what is a 'reasonable expectation'. This debate should take into account the
effect of an easily searchable Internet when deciding what counts as a reasonable expectation of privacy.

R4 The powers of the Information Commissioner should be extended. Significant penalties - including custodial
sentences - should be imposed on individuals or organisations that misuse data. The Information Commissioner should
also have the power to perform audits and to direct that audits be performed by approved auditors in order to
encourage organisations to always process data in accordance with the Data Protection Act. A public debate should be
held on whether the primary control should be on the collection of data, or whether it is the processing and use of data
that should be controlled, with penalties for improper use.

R5 Organisations should not seek to identify the individuals with whom they have dealings if all they require is
authentication of rightful access to goods or services. Systems that allow automated access to a service such as public
transport should be developed to use only the minimal authenticating information necessary. When organisations do
desire identification, they should be required to justify why identification, rather than authentication, is needed. In such
circumstances, a minimum of identifying information should be expected.

R6 Research into the effectiveness of camera surveillance is necessary, to judge whether its potential intrusion into
people's privacy is outweighed by its benefits. Effort should be put into researching ways of monitoring public spaces
that minimise the impact on privacy - for example, pursuing engineering research into developing effective means of
automated surveillance which ignore law-abiding activities.

R7 Information technology services should be designed to maintain privacy. Research should be pursued into the
possibility of 'designing for privacy' and a concern for privacy should be encouraged amongst practising engineers and
engineering teachers. Possibilities include designing methods of payment for travel and other goods and services
without revealing identity and protecting electronic personal information by using similar methods to those used for
protecting copyrighted electronic material.

R8 There is need for clarity on the rights and expectations that individuals have over their personal information. A
digital charter outlining an individual's rights and expectations over how their data are managed, shared and protected
would deliver that clarity. Access by individuals to their personal data should also be made easier; for example, by
automatically providing free copies of credit reports annually.
There should be debate on how personal data are protected - how it can be ensured that the data are accurate, secure
and private. Companies, or other trusted, third-party organisations, could have the role of data banks - trusted
guardians of personal data. Research into innovative business models for such companies should be encouraged.

R9 Commercial organisations that select their customers or vary their offers to individuals on the basis of profiling
should be required, on request, to divulge to the data subjects that profiling has been used. Profiling will always be
used to differentiate between customers, but unfair or excessively discriminating profiling systems should not be
permitted.

R10 Data collection and use systems should be designed so that there is reciprocity between data subjects and owners
of the system. This includes transparency about the kinds of data collected and the uses intended for it; and data
subjects having the right to receive clear explanations and justifications for data requests. In the case of camera
surveillance, there should be debate on and research into ways to allow the public some level of access to the images
captured by surveillance cameras.

Friday, April 06, 2007

Last week, the British House of Lords declined to hear an appeal of the case which has been said to dramatically expand privacy rights for celebrities. At issue is a book that describes, among other things, the private life of Canadian folk singer Loreena McKennitt. The Court of Appeal had issued an injunction preventing the publication of the book. With the House of Lord's decision to not intervene, that decision stands.

Toronto — The British House of Lords has denied an application to appeal the verdict of Canadian folk singer Loreena McKennitt's controversial privacy case.

The far-reaching court decision has been viewed as greatly extending the privacy rights of celebrities and other public figures.

Last December, a British Court of Appeal upheld a lower-court judgment that found that a self-published book by Canadian expatriate Niema Ash -- Travels with Loreena McKennitt -- had infringed on the performer's privacy.

Ash, a London-based writer who had befriended and worked for McKennitt in the 1980s and 90s, took the appeal to the House of Lords this year.

But the Lords said her petition "did not raise an arguable point of law of general public importance."

Yesterday, Ash said she was "devastated" by the refusal to re-examine the case and said her last resort would be to take it to the European Court of Human Rights.

"It's quite unbelievable," she said. "The case now seems finished in England. Taking it to the Court of Human Rights is the only avenue left. . . . I'm determined not to let things drop now."

Meanwhile, she has republished the original book, deleting sections found by the courts to be intrusive.

McKennitt, on tour in Europe, said in a statement she was "grateful to the courts . . . who have recognized that every person has an equal right to a private life. . . ."

Monday, April 02, 2007

Canada's Privacy Commissioner has wrapped up her investigation of the SWIFT information sharing fuss and has concluded that SWIFT is subject to PIPEDA but did not violate the law when it handed over Canadian information in response to US subpoenas.

Ottawa, April 2, 2007 —The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the conclusion of her Office’s investigation of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European-based financial cooperative, that supplies messaging services and interface software to a large number of financial institutions in more than 200 countries, including Canada.

In her Report of Findings, made public today, the Commissioner confirmed that SWIFT is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law, and that the organization did not contravene the Act when it complied with lawful subpoenas served outside the country and disclosed personal information about Canadians to foreign authorities. However, she emphasized that making use of existing information-sharing regimes, with built-in privacy protections, would allow for greater transparency for citizens.

Since her appointment, Ms. Stoddart has raised concerns about the personal information of Canadians flowing across borders. In her Report, the Commissioner stressed that organizations operating and connected in a substantial way to Canada are subject to PIPEDA and they must abide by the Act. “Simply because companies might operate in two or more jurisdictions does not relieve them of their obligations to comply with Canadian law,” said Ms. Stoddart.

It was alleged that SWIFT inappropriately disclosed to the US Department of Treasury (UST) personal information originating from or transferred to Canadian financial institutions. Ms. Stoddart launched a commissioner-initiated investigation into the matter to determine if there was a breach of PIPEDA, the federal law which covers the collection, use and disclosure of personal information in the course of commercial activities.

Following September 2001, the UST began issuing subpoenas to SWIFT for certain data held in SWIFT’s US-based operating centre. SWIFT obtained a series of privacy protections for the data it transferred to the UST.

In her Report, the Commissioner explained that PIPEDA allows an organization such as SWIFT to abide by the laws of other countries in which it operates. An organization that is subject to PIPEDA and that has moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. It is clear that in response to a valid subpoena issued by a court, person or body with jurisdiction to compel the production of information, an organization must disclose personal information and PIPEDA makes it permissible to comply with this obligation. The Commissioner stressed that multi-national organizations must comply with the laws of those jurisdictions in which they operate.

The Commissioner noted, however, that if US authorities need to obtain information about financial transactions that have a Canadian component, they should be encouraged to use existing information mechanisms that have some degree of transparency and built-in privacy protections. Accordingly, she signaled her intent to ask Canadian officials to work with their US counterparts to persuade them to use Canadian anti-money laundering and anti-terrorism financing mechanisms instead of the subpoena route.

“These alternate avenues would allow far greater Canadian involvement in the scrutiny of personal information and would better respect the value we give privacy protection,” said Ms. Stoddart. “Democratic societies must ensure that the fundamental rights and freedoms of the individual are respected to the extent possible, including the right to the protection of personal information.”

The Office reviewed the contractual documentation that exists between SWIFT and the banks, and concluded that the banks are meeting their obligations under the PIPEDA, noting that when an organization that contracts with a firm that operates both within and outside of Canada, it must respond to lawfully issued subpoenas in other jurisdictions as well as in Canada, and PIPEDA permits this.

Moreover, she found that each of the banks has very clear language in their privacy policies. These policies inform customers that the banks may send their personal information out of the country for certain purposes and that while such information is out of the country, it is subject to the laws of the country in which it is held.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

CIPPIC has issued the first batch of a series of working papers on identity theft. The papers released today include Introduction and Background, Techniques of Identity Theft, and Legislative Approaches to Identity Theft (all PDF). Additional papers examining identity theft caselaw, law enforcement, and policy approaches, as well as a Bibliography on identity theft, will be forthcoming. These working papers reflect research conducted during 2006 with funding from the Ontario Research Network for Electronic Commerce (ORNEC).

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.